inWebo Virtual Authenticator

inWebo Virtual Authenticator is a “revolutionary” authentication method using a javascript. It takes a few lines to add it to your sign-in page. The users’ web browsers are automatically compatible. Users need no token, no smartphone, no plugin.

The latest inWebo authentication method

Virtual Authenticator is the latest authentication method added by inWebo to its solutions, and the successor of Helium, a browser-based authentication method released in 2012, used to protect millions of identities.

The name refers to inWebo Authenticator, the smartphone App available for iOS, Android, and Windows Phone, which supports on-demand OTP (one-time passwords) as well as OTP triggered by push notifications. The reference goes beyond the name, since Virtual Authenticator and inWebo Authenticator share a common user experience. In particular, users have the same PIN for a given service on Virtual Authenticator and on inWebo Authenticator. This is the same experience on web and mobile, in both cases just a PIN to enter, no ‘security codes’ or copy-paste or App to launch.

The benefits of browser-based authentication

First, users don’t need a token or a phone to sign in to your applications. This makes it easy to deploy MFA to users who don’t have a smartphone or don’t want to use it for MFA (e.g. employees of an organization that has not equipped users with smartphones). Also, Virtual Authenticator provides a better experience to sign in to applications than smartphone-based MFA. Therefore, on a daily basis, users will prefer to use Virtual Authenticator for MFA when they connect from their usual devices (desktops, laptops, tablets…), even if they have a smartphone that they could use for MFA. The smartphone will rather be used for MFA when connecting from a new or unregistered device.

In terms of security, Virtual Authenticator is actually better than push-based, SMS-based, or token-based OTP since, unlike these methods, it is not vulnerable to phishing and Man-in-the-Middle attacks. The only other authentication products with such security are connected hardware tokens, such as smartcard readers. However, the convenience and costs of such methods cannot be compared to Virtual Authenticator’s.

Finally, from an organization perspective, deploying Virtual Authenticator is, actually, not a deployment. There is no software to install or to distribute to the users. You only need to make a change to your authentication page and to authorize Virtual Authenticator from your inWebo administration account. This is described here.

All things considered, this is the easiest to roll out authentication method.

A smooth transition from inWebo Helium

For those already familiar with inWebo Helium, Virtual Authenticator is not a revolution. It comes with features already available with Helium, such as:

1- or 2-factor OTP generation; it can therefore be used both in step-up authentication and multi-factor authentication scenarios

PIN change

PIN reset

a security self-check based on a secret sentence optionally defined by the user, which can be verified by the user whenever he is asked to enter his PIN in Virtual Authenticator.

As it was the case for Helium, the secret sentence is only displayed after a successful and automatic browser authentication with inWebo servers. It cannot be obtained by phishing. We have slightly changed the way it is presented and made it similar to how websites using SSL certificates are displayed in browsers, since users are now familiar with that.

Additionally, Virtual Authenticator has a keyboard for the PIN-entry, which is especially useful with touch screens.

Helium is still supported

New customers are proposed Virtual Authenticator and inWebo Authenticator as a default. Customers already using Helium will not see any change since there is no automatic or required migration to Virtual Authenticator. Helium will continue to be supported for existing customers, but also for new customers needing more customization (e.g. branding or PIN policy).

Can I see it?

Yes, we would love to. You are only 3 clicks away. Just sign up for a free trial account for your organization here. You will be able to use Virtual Authenticator to access your administration account, but also to provide it to users so that they access your applications safely and conveniently.